I was at an executive event a couple of weeks ago hosted by a Sporting Franchise which also happens to own the stadium the event was being held in. The VP of Digital Transformation was the hostess and was explaining the transformation of that franchise – which used to sell tickets primarily through the on-site box office and by mail until a few years ago.

Yes – you heard that right. However successive years of falling season ticket holders jolted them and they realized they need to speed into the future and she was hired. Today, they have sensors on every seat to measure average sitting time, audio meters to correlate applause causation, beverage and food consumption attributed to the event, day of week, weather etc. and digitized ticketing for individual ticket holder monitoring. In short, they have become an all-digitial and analytics IT shop. But, a big side effect of this transformation is that they now have a lot of private (maybe that word needs to be retired) fan information and are responsible for both the safekeeping and disclosure (that they hold this data) to their fans.

But that is easier said than done. Why so? Because just like this sports franchise’s primary business mandate is to attract fans and keep the stadium’s occupancy rate high, similarly the primary business that a restaurant chain or a hair salon has not changed even as they go all digital. And with the tools available today – sensors, analytics, social engagement, customized engagements and so on – the transformation to digital is not all that hard.

So, the step towards digital can be accomplished and now they have an endless stream of ‘data’ and ‘actionable analytics’ that they can fuel towards recruiting more fans, presenters and accomplish the primary business goal. But, in this transformation, given IT was never their primary focus, they often fail to realize how the accumulation of digital assets and intrusive profiling they are doing now means they are subject to – both from a moral and ethical standpoint as well as a regulatory and risk management standpoint – a stringent security and compliance framework that they never had to deal with in the past.

And this is the crux of the problem. What’s more, without the need to invest in complex hardware and software aka by going all cloud, their insulation from ever having to see or manage the server racks and storage arrays means the problem is out of sight and conveniently ignored. Until – an #Equifax – happens. And suddenly they realize – along with the regulatory watch dogs, irate customers and unhappy investors – that this sand pit was being dug all along!

So, what does a business do then – go back to the abacus. #AbsolutelyNot. The value that data collection, analytics and customization brings is enormous. There is no going back. But, every business needs to realize three things

Their customers need to be made aware of the data that is being collected – full disclosure.

Investing in-house (not outsourced) security expertise to constantly drive awareness of what sort of data is being collected, why and how to protect the same

Continuous awareness of the regulatory environment (different than #2) and ensuring adherence to the same. Case in point is the much publicized GDPR (General Data Protection Regulation) which brings interesting mandates and power to the end customer like ‘the right to be forgotten’ loosely translating to exhuming all digital footprints when a customer chooses to exercise that option.

Butchering a famous proverb to drive the point home, “with great digital transformation, comes great responsibility.” Enterprises – big and small – need to take that seriously.

This article is published as part of the IDG Contributor Network. Want to Join?

Ashwin Krishnan is a cyber moralist, cybersecurity evangelist, board advisor, podcaster, author and blogger with over two decades of hi-tech executive experience in the cybersecurity and virtualization domain. One of the coauthors of Mobile Security for Dummies and a recognized thought leader, he is a regular columnist with CSOOnline.com, ITSPMagazine, ThriveGlobal, CPOMagazine and Qrius.